2. IT Security Threat Categories as Seen by
Information Security Standards (Compliance)
Malicious
Accidents Acts
Acts of God
2/3 threats must be managed by IT Operations and
can be addressed through process
3. IT Security “Pyramid of Needs”
•Audits/Compliance
•Monitoring
•Incident response
IT Security •Standards
•Policy
IT Operations
You cannot manage IT Security without
healthy IT Operations.
4. Requirements For IT Operations Disguised as Security
•ISO 27001 IT Security
•PCI
•MITS (Canada)
•US (state) cyber
security policy
There are hidden IT
Operations requirements in IT
Security Compliance (think
DRP, network architecture,
IT Operations
identity/access management
etc.).
External compliance sees IT Security as governance for all IT and forces IT
Security concerns to dominate IT Operations decision making unless it is
already aligned with security objectives.
5. Hidden Cost of Security for IT Operations
IT Security Wasted resources on an
•Compliance ineffective security program
•Information built in an unsecure
Security Standard
foundation
•Disruption due to compliance
audits
IT Operations •Inefficient incident response
6. Getting Security out of your kitchen:
What Security Manage vs. What IT Operations Manage
IT Security IT Operations
• IT Security Policy/Standards • Configuration Management
• Risk Assessment • Life Cycle Support
• Vulnerability Assessment • Disaster Recovery Planning
• *Compliance and TESTING
(Internal/External) • Non Malicious Incident
• *Audits (Internal/External) Response (Availability)
• IT Security Monitoring and
Alerting
• Malicious Incident
Response
*External Compliance and Audits require IT Operations to report status of some
processes to IT Security (ex. baseline configuration, DRP)
7. Configuration Management
Baselines (Application and System)
• One baseline configuration document per OS variant
• One baseline configuration document per application
• Review of baselines for new versions of application or OS
• Mandatory that all systems meet baseline
IT Security Services
• Mandatory internal compliance audit to ensure baseline is applied
during test phase
• Internal compliance audit to ensure baseline is maintained during life
cycle
• Advice on system hardening and secure configuration for baselines
8. Life Cycle Support
Deployment and System Support Documentation
• A system support document must be created for all systems that are supported and include the following:
• Asset list for the system
• Network Diagram
• System and Application baseline document and additional configuration
• Release management acceptance document for all in-house developed software
Change Management
• All production systems must be subject to change management
• All changes must be tracked and deployment and system support documentation updated
• Some changes may require approval based on criteria set by IT Operations Management
Patch Management
• All production systems must have a defined patch cycle
• Resources must be made available for out of cycle patching of critical security vulnerabilities
IT Security Services
• Critical vulnerability alerts
• Risk assessment and vulnerability assessments for new systems and critical system changes
9. Disaster Recovery Planning and Testing
Disaster Recovery Plan (DRP)
• All production systems must have a DRP written down
• The plan can indicate that the system has no DRP in the case
of non critical systems
• The DRP must include steps taken to bring the system back
online
Testing
• All systems with a DRP must have a defined test schedule
• A DRP test is only considered complete if all the steps in the
DRP are executed
10. Non Malicious Incident Response
(Availability)
Monitoring
• Monitor production systems for availability, unauthorized access, and unauthorized
configuration changes and other incidents
Incident Response
• Response to all system incidents and lead the investigation into non malicious incidents
Corrective Action
• Track non malicious incidents and implement corrective action where trends appear
• Implement corrective action recommended by IT Security in the event of a malicious incident
IT Security Services
• Monitor systems for malicious incidents
• Inform IT Operations of all incidents
• Investigate and provide corrective action for all malicious incidents
11. A high level view
Baseline Configuration
Deployment and Support Docs
DRP
Requirements Design Defined patch cycle
Risk Assessment
Retire
System
Development
Life Cycle Implement monitoring
Implement Monitoring
Operate/Maintain Implement
DRP Test Schedule
Patch Management
Change Management
Monitoring/Incident Response Test
Vulnerability Assessment
Internal Compliance Audit
Test DRP
Vulnerability Assessment
Internal Compliance Audit
12. Ensuring Your Processes Meet
Compliance Requirements
If it’s not followed it’s an
incident
If it’s not reviewed and
enforced it doesn’t comply
If it’s not written down it
doesn’t exist
Audit Fundamentals
13. Drawing A Line In The Sand
Security views all systems
that are not governed by
these processes as
Security Unmanaged.
14. Getting From Unmanaged to Managed
• Define and document your processes
• Each process must exist and be enforced through a policy or operating procedure
1 • Existing processes can be amended and written down
• Create system upgrade plan for migration from unmanaged to managed
• Plan must include either an end of life or compliance date for all systems
2 • Systems should be prioritized based on the business processes they support
• Ensure all new systems conform to processes
• Action unmanaged to managed plan
3
15. KPIs – Measuring (IT Operations)
Security Posture
IT Operations security coverage
• Number of managed vs. unmanaged systems
IT Operations security management
• Number of non compliance findings on managed systems (percent of
total systems)